[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ISAKMP Cert Req Processing
Elfed,
> In section 5.8 of ISAKMP v8
>
> When Cert Req payload is received ......
>
> 2. Determine if the Certificate types are supported. If ANY of the
> certificate types are not supported, the message is discarded and the
> following actions taken ........
>
> Q. This (IMHO) implies that an entity must support all certificate
> types is this the case ?
>
This section is changing in the next version. However, it is still
based on the list of certificate types found in section 3.9
(Certificate Payload).
This does not imply that an entity must support all certificate types.
It just means you check to see if you support the certificate
requested. If you do, then proceed, if you don't then you'll do
something else. The something else is what Ted and Michael have been
asking about on the list, i.e. a Notify message that the certificate is
missing, unavailable, or not supported. The question is: should there
be more than one message? Missing, Unavailable, and Not Supported are a
little different. I think Missing and Unavailable can be put into the
same group and satisfied with a single Notify message. Not Supported is
entirely different and would allow a responder to convey some
information to the initiator.
Hope this helps.
Cheers,
Doug